patch for OSX

Attached is a patch to make sshd work on OSX when using plain ol' Kerberos authentication as opposed to opendirectory authentication.

Cheers, Nick

-------------------------------------------------------------------------- NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.

On Wed, Mar 28, 2012 at 01:01:51PM +0100, Williams, Nick wrote: > Attached is a patch to make sshd work on OSX when using plain ol' > Kerberos authentication as opposed to opendirectory authentication.

Unfortunately your diff didn't make it to the list (it strips any attachments that aren't plain text). Please resend as text or inline, or open a bug at https://bugzilla.mindrot.org and attach it there.

The opendirectory lookups in gss-serv-krb5.c, used for OS X had reversed boolean logic meaning that the code will fail if ever the OD lookup or the group membership calls returned success. Obviously this is wrong, but even more so the log messages were a bit sparse so it was hard to see why the PAM call was being rejected. This commit fixes the logic and adds in some extra log messages in the case of failure. --- gss-serv-krb5.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)

-------------------------------------------------------------------------- NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers. If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev [at] mindrot https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Nick had problems sending the patch to the list, so I'm just passing this along. I'm not sure that the patch is correct, but the man page for krb5_unparse_name does say "If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned."

------------------------------------

Gah, email filters stripping usefulness! Sorry. I've removed the GIT patch headers just to get the diff through ;-). Let me know if this works.

Cheers, Nick

The opendirectory lookups in gss-serv-krb5.c, used for OS X had reversed boolean logic meaning that the code will fail if ever the OD lookup or the group membership calls returned success. Obviously this is wrong, but even more so the log messages were a bit sparse so it was hard to see why the PAM call was being rejected. This commit fixes the logic and adds in some extra log messages in the case of failure. --- gss-serv-krb5.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)